NACM issue with built in paths

murrayl · June 18, 2025, 9:09pm

I am trying to restrict access to the built in function logout session to specific user roles.
I am testing with a user that should be restricted from using the command due to the NACM rules.
The user id is:
MDS1-ESUA# id
user = bolt-standard(1004), gid=5000, groups=standard, gids=5000
I have this rule to block the command

non-admin-override-rules
maintenancexxx
readonlyxxx
standardxxx

tailf-aaa-authentication
tailf-aaa
/aaa/authentication/users/user[name=‘$USER’]
read
permit

tailf-aaa-user
tailf-aaa
/user[name=‘$USER’]
read
permit

aaa
/aaa
create read update delete exec
deny

deny-logout-session
/system/logout
create read update delete exec
deny

</rule-list>

I have turned on the confd developer log to the trace level. This user is able to execute the command with no restrictions. I don’t know why.
MDS1-ESUA# logout session ?
Possible completions:
27 admin@127.0.0.1 maapi 13:40:31
28 admin@127.0.0.1 maapi 13:40:31
32 bolt-standard@10.99.99.110 cli 13:43:19 (*)
34 admin@10.99.99.110 cli 13:44:31
MDS1-ESUA# logout session 34
MDS1-ESUA#

I am including the full running NACM ruleset for reference here.
show running-config nacm rule-list
nacm rule-list support-rules
group [ support ]
rule support-all-rule
module-name *
access-operations *
action permit
context *
!
!
nacm rule-list global-rules
group [ none ]
rule global-ont-rule
module-name *
path /tolt/ont/config
access-operations create,delete
action deny
context *
!
rule global-uni-rule
module-name *
path /tolt/interfaces/uni/config
access-operations create,delete
action deny
context *
!
rule global-net-rule
module-name *
path /tolt/interfaces/net/config
access-operations create,delete
action deny
context *
!
rule global-nni-rule
module-name *
path /tolt/interfaces/nni/config
access-operations create,delete
action deny
context *
!
rule global-user-rule
module-name *
path /aaa/authentication/users
access-operations *
action deny
context *
!
rule global-cpu-interface-rule
module-name *
path /tolt/interfaces/nni/config[aid=‘OLT1-1’]
access-operations *
action deny
context *
!
!
nacm rule-list admin-rules
group [ admin ]
rule admin-all-rule
module-name *
access-operations *
action permit
context *
!
!
nacm rule-list support-override-rules
group [ supportxxx ]
rule support-all-rule
module-name *
access-operations *
action permit
context *
!
!
nacm rule-list admin-override-rules
group [ adminxxx ]
!
nacm rule-list non-admin-override-rules
group [ maintenancexxx readonlyxxx standard standardxxx ]
rule tailf-aaa-authentication
module-name tailf-aaa
path /aaa/authentication/users/user[name=‘$USER’]
access-operations read
action permit
context *
!
rule tailf-aaa-user
module-name tailf-aaa
path /user[name=‘$USER’]
access-operations read
action permit
context *
!
rule aaa
module-name *
path /aaa
access-operations create,read,update,delete,exec
action deny
context *
!
rule deny-logout-session
module-name *
path /logout/session
access-operations create,read,update,delete,exec
action deny
context *
!
!
nacm rule-list readonly-override-rules
group [ readonlyxxx ]
rule only-read
module-name *
access-operations create,update,delete,exec
action deny
context *
!
!
nacm rule-list standard-override-rules
group [ standard standardxxx ]
rule all-tolt-permit
module-name *
path /tolt
access-operations create,read,update,delete,exec
action permit
context *
!
!
nacm rule-list maintenance-override-rules
group [ maintenancexxx ]
rule olt-backup-olt
module-name *
path /tolt/system/backup
access-operations read,exec
action permit
context *
!
rule olt-restore-olt
module-name *
path /tolt/system/restore
access-operations read,exec
action permit
context *
!
rule olt-software
module-name *
path /tolt/system/software
access-operations read,exec
action permit
context *
!
!
nacm rule-list security-override-rules
group [ securityxxx ]
rule deny-any-access
module-name *
access-operations create,read,update,delete,exec
action deny
context *
!
rule aaa-authentication-users
module-name *
path /aaa/authentication/users
access-operations create,read,update,delete
action permit
context *
!
!
MDS1-ESUA#

sbarvick · June 20, 2025, 1:42pm

Hi Les,

This worked for me. For a CLI session with user oper (using the standard example config):

confd_cli -C -u oper

I can still do other commands:

# show running-config nacm rule-list oper 
nacm rule-list oper
 group [ oper ]
 cmdrule no-logout
  context cli
  command logout
  action  deny
 !
!

but I can’t logout

# logout

generates the devel.log:

User: oper[oper] rejected command "logout" op execute by full_match Command Rule "oper/no-logout"

murrayl · June 23, 2025, 2:36pm

Yes, I was really trying to block children of that command.

i.e. logout session which would prevent you from terminating another user’s session unless an admin.

i.e. The logout session and logout user, should have limits on who can execute them.

A user that has the lowest access rights possible can currently terminate the admin user’s session.

I had been trying to match on the logout session to block that for certain classes of users.

Can you contrast the cmdrule vs the rule structure that I have been using? Perhaps that is the key to my issues as I have been using the rule line item and it has had no effect on the command.

I’m assuming the difference is that cmdrule is for built in CLI commands and the “rule” item we have been using is for data members within the yang hierarchy?

Les.

murrayl · June 23, 2025, 9:09pm

In attempting to block access to logout session (but not logout) because I want to be able to logout myself, but not others.
I configured as you suggested.
MDS1-ESUA# show running-config nacm groups group standard
nacm groups group standard
user-name [ bolt-standard ]
!
MDS1-ESUA# show running-config nacm rule-list cmd-logout-session
nacm rule-list cmd-logout-session
cmdrule no-session
context cli
command “logout session”
access-operations read,exec
action deny
!
!
MDS1-ESUA#
Message from bolt-standard@MDS1-ESUA at 2025-06-21 13:41:49…
Your session has been terminated by bolt-standard
MDS1-ESUA# root@MDS1-ESUA:/usr/bob/db/confd-cdb#

I then logged in and was able to use the command even though I should not have been able to.
DS1-ESUA# id
user = bolt-standard(1004), gid=100, groups=standard,users, gids=100,5000
MDS1-ESUA# logout session ?
Possible completions:
27 admin@127.0.0.1 maapi 2025-06-16
93 bolt-standard@10.99.99.110 cli 13:31:12 (*)
95 admin@127.0.0.1 cli 13:32:17
MDS1-ESUA# logout session 95
MDS1-ESUA#

Group is properly configured and is a member of the group.

Perhaps it is relevant to the fact that I am using a command “logout session” but I also tried just session. Neither worked.

murrayl · June 23, 2025, 9:12pm

I also tried just command “logout” attempting to hide that but I could still see and execute the command as bolt-standard user in the group standard.

murrayl · June 23, 2025, 9:35pm

Never mind, got it.
When I created the new entry I forgot to add the group back to it. I did have it in my previous rule list, but missed it whenever I created the new list for “built in” commands.

It is now working correctly for me. Thank you, that got me working.
Corrected rule for reference, and it does allow me to specify the entire path.
nacm rule-list cmd-logout-session
group [ standard ]
cmdrule no-session
context cli
command “logout session”
access-operations read,exec
action deny
log-if-permit
!
!
MDS1-ESUA#
Logout is available, but logout session is not.

Thanks.

Topic		Replies	Views
Use cmdrule to restrict access to a pipecmd Other Northbound Interfaces	1	1044	November 26, 2019
Netconf rpc "close-session" still can be executed when NACM rule defined to deny General	2	588	July 5, 2022
Restrict the access to some file operations (Implemented through clispec) YANG	1	278	April 18, 2023
How to get xpath to configure nacm to restrict the config General	6	162	August 14, 2024
Nacm rule to restrict db deletion NETCONF	2	17	July 1, 2025

NACM issue with built in paths

Related topics